Moderator: some important updates/corrections on my previous message. Please
cancell the old one and post this one instead, or post this as a reply to my
first message. Thanks !
---------------------------------------------------

Made in Holland
PCP/A #0006 (pr0ph)

Local Bufferoverflow/Vulnerability in Telnet.exe

When looking if this was a known Bug/Vulnerability I came across the
following posting "telnet.exe heap overflow - remotely exploitable". Send to
the Bugtraq mailinglist on the 15th of August 1999. Message-ID:

<19990815220227.37285.qmailhotmail.com>

It has some similarities, but it doesn't mention the DoS on OE it triggers.

Lets continue. The version of Telnet that is shipped with most Microsoft
systems contains a buffer that can be overflowed which will result in the
Denial of Service of several applications including OutlookExpress.

If you fill up the "Host Name" buffer (Connect/Remote System/Host Name) with
the maximum of 256 chars and press "Connect" (tested with 256 "A"
characters) you will receive the following "Dr. Watson for Windows NT"
error:

"An application error has occured and an application error log is being
generated.

RASMAN.exe

Exception: access violation (0x00000005), Address 0x00780078"

This will create a USER.DMP file in your WINNT directory (all Dr. Watson
warnings will create a USER.DMP file actually). However Telnet will not
close down but will display a "Connection Failed!" message.

You will also get this message by giving the following command from your
command.com or command prompt shell:

"telnet AAAAAAAA..." (256 A's or more). If you use numbers instead of
letters the bug will not get triggered.

Note that this bug will also NOT get triggered if OE has been opened/started
since the last reboot, or when its open/active
at the time of the overflow. I have no idea why this is, so give me your
view on this.

If you will try to start OutlookExpress after this you will notice that it
wont start. If you then choose "Restart the computer" from the "Start" menu
you will get a message about something not rtesponding. If you choose
"close" you'll get the following error message:

"msimn.exe - DLL Initialization Failed

Initialization of the dynamic link library C:\WINNT\System32\rascauth.dll
Failed. The process is terminating abnormally."

OE will NOT start until you rebooted your system. Logging in as another user
without rebooting will NOT help. Note that if you triggered the bug you will
have to reboot your system before you will be able to trigger/reproduce it
again.

This is tested on Windows NT4 Workstation with Service Pack 4.

Try it yourself en please let us know the results (if they vary from the
results mentioned above). Please mail us at:

Special_Projectscazzz.demon.nl (The Lab)
Industrial_Strengthcazzz.demon.nl (The Exploiters)

Another fine Planet Cazzz Production. In association with The Nations Top.
We cannot be held responsible for your actions, but you can try. Made in
Holland. PCP/A #0006 (pr0ph)

We want to say hell0 to all the Crackers, the Hackers and the Phreax. We
want to say hell0 to all the people in this place. We want to say hell0 to
all the Sinners and 31337. We say hell0 to all the people in the world...

-No Strezzz Cazzz, Powered By UN0X

Planet Cazzz: Because the world is not enough...

_____________________________________________________________________
** TO UNSUBSCRIBE, send the command "UNSUBSCRIBE win2ksecadvice"
** FOR A WEEKLY DIGEST, send the command "SET win2ksecadvice DIGEST"
SEND ALL COMMANDS TO: listservlistserv.ntsecurity.net

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]